Enhanced security with F5 BIG-IP APM and Okta through Multi-Factor Authentication

This article is the third in the three-part series.

Go to Part 1 here: Secure Access to Web Applications with F5 and Okta using SAML 2.0 (1 of 2)

Go to Part 2 here: Secure Access to Web Applications with F5 and Okta using SAML 2.0 (2 of 2)

Multi-factor Authentication (MFA) is a security best practice that enhances authentication by requesting two or more verifiable authentication factors. Common authentication factors are: Something You Know, Something You Have, and Something You Are. In addition to configuring native MFA support, the F5 BIG-IP Access Policy Manager (APM) system offers the flexibility to combine multiple authentication mechanisms from partners like Okta.

In this DevCentral blog, we will look at how to configure APM for Okta MFA to authenticate using Something You Know and Something You Have. The HTTP connector for Okta MFA is supported in F5 BIG-IP APM system running TMOS v16.0 or later.

Setting up Okta MFA

Follow the steps below to configure ‘Okta Verify’ for mobile MFA.

Navigate to Okta web UI >> Security >> Multifactor and activate Okta Verify.

Figure 1: Activate Okta Verify MFA

Click on the Factor Enrollment option in the sub menu, then click on the Edit button.
On the popup screen, choose Everyone option under Assign to groups.
When done, press the Update Policy button.

Figure 2: Assign the MFA policy to the user group

Configuring F5 BIG-IP APM for Okta MFA

Follow the steps below to configure the HTTP connector for Okta MFA.

Create a DNS Resolver to Resolve the DNS Queries and Cache the Results

On the main menu, navigate to Network >> DNS Resolvers.
On the DNS Resolvers web page, click on the Create button.
Enter a name and click the Finished button.
On the DNS Resolvers web page, click on the above created DNS resolver list name.
Navigate to the Forward Zones tab in the sub menu to add any recursive nameservers.
When done, press the Finished button.

Figure 3: Create the DNS resolver

Creating an HTTP Connector and Assign the DNS Resolver

Navigate to Access >> Authentication >> HTTP Connector and click on HTTP Connector Transport.
On the HTTP Connector Transport web page, click on the Create button.
Enter a name and select the above created DNS Resolver and the SSL Server Profile.
When done, press the Save button.

Figure 4: Sample HTTP connector configuration

Creating the Okta Connector and Assigning the HTTP Connector

Navigate to Access >> Authentication and click on Okta Connector.
On the Okta Connector web page click on the Create button.
Enter a name and select the above created HTTP connector.
Type the Okta Domain name and paste the Okta API Token from Okta.
When done, press the Save button.

Figure 5: Sample Okta connector configuration

Note: To create a new Okta API token, navigate to Okta web UI >> Security >> API and click on Tokens.

Creating and assigning the Access profile and Access Policy to the Application

Follow the steps below to create an access profile and per-request access policy for Okta MFA and assign them to the application.

Creating the Access Profile and Access Policy

Navigate to Access >> Profiles/Policies and click on Access profiles (Per Session Policies).
click on the Create button to create a new access profile.
Enter a name and select All in the Profile Type drop down-list.
Scroll down to the Language Settings section. Select the preferred language and move it to the left into Accepted Languages box.
When done, press the Finished button.

Figure 6: Sample access profile configuration

Next, navigate to Access >> Profiles/Policies and click on Per-Request Policies.
Click on Create button to create a new access policy.
Enter a name and select All in the Profile Type drop down list.
Scroll down to the Language Settings section. Select the preferred language and move it to the left into Accepted Languages box.
When done, click on Finished button.
On the Per-Request Policies page, click the Edit button next to the above created policy.
Create the per-request policy using the Visual Policy Editor as show in the figure 7.

Figure 7: Sample per-request policy

To add the Okta MFA, click on the + sign. On the popup screen, click on the Authentication tab and select Okta MFA.
When done, click on the Add Item button.
On the popup screen, enter a name and choose the above configured Okta connector.
When done, click the Save button.

Figure 8: Sample Okta MFA configuration with ‘Okta Connector’ assigned

Assigning the Access Profile and Access Policy to the Virtual Server

Navigate to Local Traffic >> Virtual Servers >> Virtual Server List and click on the Virtual server configured for the application.
Scroll down to the Access Policy section and select the Access Profile and the Per-request Policy.
When done, press the Update button.

Figure 9: Assign the access profile and per-request policy to the virtual server

Validating and Verifying the Solution

Follow the steps below to setup and validate mobile MFA using ‘Okta Verify’.

Download the ‘Okta Verify’ app on your mobile device.
Login to Okta Web UI using your username and password.
On the dashboard, click on the user setting. Under the extra verification section, click on the Setup button.
On the resulting web page, click on Configure Factor and choose the Device Type (Android or Apple).
Scan the presented barcode with the Okta mobile app for verification, this completes the setup.
Access the application app.f5sec.net from a browser. When prompted enter the username and password.
After successful authentication, you will be prompted for MFA, click on the Send Push button.
Complete the MFA using the Okta Verify app on your mobile device.

Figure 10: User prompted for MFA after successful authentication

Conclusion

The joint F5 and Okta MFA integration offers a compelling solution for customers who are interested in securely accessing enterprise applications on-premises and in any cloud by increasing the assurance of authentication.